Friday, 28 August 2009

Why I want to live in an insecure world?

I want to live in an insecure world because an insecure world is a safer world

I.e.the more insecure we are, the safer we are!

The fact that something bad/unexpected CAN happen (what we usually call a vulnerability), doesn't automatically mean that it WILL happen or be exploited (this is something that the business guys understand very well, but usually the security guys don’t).

In fact, usually, the more insecure the system is, the easier it is to do business with it , and the easier it is for its users to interact with.

This is something that the Credit Card industry understands really well, in fact one criticisms that the great geekonomics book (for example see chapter We'll Be Compliant, Later) throws at it, is the fact that they (the Credit Card industry) design insecure systems by design, mainly because they want it to be easy to use. They accept a certain percentage of fraud, which basically means that they are trading security for functionality and ease-of-use (i.e. they are making a risk decision to build insecure systems (or systems not as secure as they could be)).

PCI, from a risk-reduction point of view, is a MASSIVE success. From a making-the-websites-more-secure-and-not-exploitable point of view, PIC is probably not as successful/effective as the PCI-bashing crowd would like it to be.

Coming back to the main idea of this post, the reason I want to live in an insecure world, is because I want to live in a world where I leave my doors unlocked!

I (and my family) am much more secure in a neighborhood where I don’t have to lock my door (and I don’t have to physically protect my assets), versus a neighborhood where I need private security guards with machine guns outside my door to protect myself.

I.e. I want to live in a world where I don’t have to care about security! because that is actually a safer world.

Of course that in the real-world and in normal neighborhoods, one can't leave the doors unlocked all the time. What we do is we adjust our security measures to the current perceived threats (and the probability that the vulnerability (the door not locked) is going to be exploited).

It is ultimately a risk decision (sometimes our 'perceived' threats are grossly over or under estimates (see Bruce for tons on examples on this) but that tends to adjust it self with time) .

I don't have a problem with clients making risk decisions (for example 'choosing NOT to fix a security vulnerability or applying a short-term remediation using a WAF). As long as it doesn't affect me personally, it is their decision to make. After all, it is their businesses.

I DO HAVE a problem when the clients DON'T know about how insecure they might be and how many vulnerabilities exist in their applications/systems. My view of my job (and of OWASP's) is to give clients and users VISIBILITY into the security implications of what they are building, buying or using. What to do with that visibility and knowledge is NOT my job :)

Ultimately, when the market has good understanding of what is going on, it tends to make good decisions. The problems tend to occur when the market DOESN'T understand what is going on (like the recent financial crash as shown us)